# 创建CA的公钥、私钥对
openssl genrsa -out ca.key.pem  -verbose 4096

# 使用CA的公钥私钥对生成一个自签名证书

openssl req -new -x509 -days 3650 -sha256  -key ca.key.pem -out ca.cert.pem  -subj "/C=CN/O=Lab/C
N=StrongSwan root ca"
# 查看内容
ll
total 8.0K
-rw-rw-r-- 1 luo luo 1.9K  9月 27 21:00 ca.cert.pem
-rw------- 1 luo luo 3.2K  9月 27 20:57 ca.key.pem



# moon 创建一个rsa公钥私钥对
openssl genrsa -out moon.key.pem  -verbose 4096

# 创建一个 x509 csr证书请求
openssl req -new   -sha256  -key moon.key.pem -out moon.csr  -subj "/C=CN/O=Lab/CN=moon cert"

# 使用 CA 给 moon 的csr证书请求做签名
# 快速偷懒法（不用 ca 命令，直接 x509 自签）
#       如果你只是实验室里需要一张“被 CA 签过”的主机证书，不需要 CRL、序号数据库这些 PKI 设施，可以用一行命令搞定
#       缺点：不会写数据库，无法吊销，但给 StrongSwan 用完全没问题。
# 最终生成 moon自己的x509证书 -out moon.cert.pem
openssl x509 -req  -days 365  -sha256  -CAkey ca.key.pem   -CA ca.cert.pem -in moon.csr   -out moon.cert.pem
Certificate request self-signature ok
subject=C = CN, O = Lab, CN = moon cert

# 最终生成的文件
ll
total 20K
-rw-rw-r-- 1 luo luo 1.9K  9月 27 21:00 ca.cert.pem
-rw------- 1 luo luo 3.2K  9月 27 20:57 ca.key.pem
-rw-rw-r-- 1 luo luo 1.8K  9月 27 21:17 moon.cert.pem
-rw-rw-r-- 1 luo luo 1.6K  9月 27 21:02 moon.csr
-rw------- 1 luo luo 3.2K  9月 27 21:00 moon.key.pem

# 查看moon证书信息
openssl x509 -in moon.cert.pem  -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            4c:35:35:55:4d:7d:93:7d:e4:43:f2:ae:c7:2d:69:49:d0:83:4a:52
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, O = Lab, CN = StrongSwan root ca
        Validity
            Not Before: Sep 27 13:17:00 2025 GMT
            Not After : Sep 27 13:17:00 2026 GMT
        Subject: C = CN, O = Lab, CN = moon cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

# 用CA的证书验证 moon的证书是否有效
openssl verify -CAfile ca.cert.pem moon.cert.pem
moon.cert.pem: OK



# 生成https所需的rsa公私钥
openssl genrsa -out 192.168.18.10.key.pem  -verbose 4096

# 如果是生成https证书的话，一般 CN= 就等于使用此证书所在的域名
openssl req -new   -sha256  -key 192.168.18.10.key.pem -out 192.168.18.10.csr  -subj "/C=CN/O=Lab
/CN=192.168.18.10"

# 使用ca对https证书请求文件 192.168.18.10.csr 进行签名，得到tls证书
openssl x509 -req  -days 365  -sha256   -CAkey ca.key.pem   -CA ca.cert.pem -in 192.168.18.10.csr  -out 192.168.18.10.cert.pem
Certificate request self-signature ok
subject=C = CN, O = Lab, CN = 192.168.18.10

# 验证证书
openssl verify -CAfile ca.cert.pem 192.168.18.10.cert.pem
192.168.18.10.cert.pem: OK

# 下面拼接证书这步没有必要
# 没有显示根CA证书的原因是最下面的，没有使用x509v3的Subject Alternative Name字段来绑定IP
# 但是这样的证书在浏览器里面证书链显示不完整（不包含CA证书，只有192.168.18.10自己的证书）

# 把192.168.18.10的证书和ca证书放在一起，由服务器发给浏览器
cat 192.168.18.10.cert.pem ca.cert.pem  > 192.168.18.10_ca.cert.pem




# 上面有个坑，会报错
# Chrome 报错
# NET::ERR_CERT_COMMON_NAME_INVALID
# 核心原因：
#   证书里只有 CN=192.168.18.10，而没有 SAN（Subject Alternative Name）扩展，Chrome/Edge 从 58 起完全忽略 CN 字段，只认 SAN。
#       → 必须重新签发一张把 IP 写进 SAN 的证书。

openssl req -new -key 192.168.18.10.key.pem -out 192.168.18.10.csr   -config <(
cat <<EOF
[req]
distinguished_name = dn
req_extensions = v3_req
[dn]
CN = 192.168.18.10
[v3_req]
subjectAltName = IP:192.168.18.10
extendedKeyUsage = serverAuth,clientAuth
EOF
)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
192.168.18.10 []:192.168.18.10
# 注意：最后一行提示要输入IP    192.168.18.10 如上所示


# 使用CA证书签名 tls证书
openssl x509 -req -days 825 -sha256   -in 192.168.18.10.csr   -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial   -out 192.168.18.10.cert.pem    -extfile <(
    echo "subjectAltName = IP:192.168.18.10"
    echo "extendedKeyUsage = serverAuth,clientAuth"
  )
Certificate request self-signature ok
subject=CN = 192.168.18.10


openssl x509 -text -in 192.168.18.10.cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5a:98:f4:66:f4:7e:84:1e:17:73:a2:e1:2f:c8:b0:16:71:43:d8:33
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, O = Lab, CN = StrongSwan root ca
        Validity
            Not Before: Sep 27 14:39:57 2025 GMT
            Not After : Dec 31 14:39:57 2027 GMT
        Subject: CN = 192.168.18.10
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    # 省略
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            # 这里多出来的x509v3的 Subject Alternative Name 指定了ip
            # 浏览器就不会再报错了
            X509v3 Subject Alternative Name:
                IP Address:192.168.18.10
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier:
                32:67:6D:F5:A5:2A:B4:A7:D1:79:00:C0:F1:09:47:B8:6C:AA:82:E2
            X509v3 Authority Key Identifier:
                6A:AB:48:12:98:92:16:2E:13:93:BD:74:02:41:6B:18:BB:78:58:8E
    Signature Algorithm: sha256WithRSAEncryption



/etc/nginx/conf.d/tls.conf

# 80 强制跳 443
server {
    listen 80;
 #   server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;                 # http2 可选
    #server_name example.com www.example.com;

    # 1. 证书与私钥
    ssl_certificate     /home/luo/openssl/192.168.18.10.cert.pem;
    ssl_certificate_key /home/luo/openssl/192.168.18.10.key.pem;




    # 6. 业务 location
    location / {
        root /var/www/html;
        index index.nginx-debian.html;
    }


}